After 2.0.3 upgrade, empty tables if FQDN aliases

lyserge · Apr 17, 2013, 7:57 PM

All my firewall rules that relied on aliases based on FQDN hosts is empty after the 2.02 –> 2.0.3 upgrade.

New (FQDN) aliases does not generate anything in the tables

pfctl -T show -t test
[empty]

:(

I can do the lookups via diag DNS on my pfsense machine.

Checked system DNS settings and did a reboot, problem is still there.

Any thoughts?

Thanks!

A Former User · Apr 18, 2013, 2:06 AM

I had this same issue. It brought my network to it's knees, seeing as I have time and host restrictions based off of FQDNs in aliases. I had to revert to 2.0.2. I would like to know if anyone else has had this issue.

jimp · Apr 19, 2013, 3:55 PM

Mine all work fine in test VMs, hostname entries are in the tables as expected.

Check Diag > Tables and see if you see them there.

Also, is this amd64 or i386?
Any errors in the logs from filterdns or similar?

What does your /var/etc/filterdns.conf look like?

lyserge · Apr 19, 2013, 4:25 PM

@jimp:

Mine all work fine in test VMs, hostname entries are in the tables as expected.

Check Diag > Tables and see if you see them there.

Also, is this amd64 or i386?
Any errors in the logs from filterdns or similar?

What does your /var/etc/filterdns.conf look like?

Diag > Tables = Empty

i386

Lines from the log with error, no dns/filterdns related:

untitled text 3:17: Apr 16 22:47:46 pfsense kernel: module_register_init: MOD_LOAD (ipw_bss_fw, 0xc0712580, 0) error 1
untitled text 3:21: Apr 16 22:47:46 pfsense kernel: module_register_init: MOD_LOAD (ipw_ibss_fw, 0xc0712620, 0) error 1
untitled text 3:24: Apr 16 22:47:46 pfsense kernel: module_register_init: MOD_LOAD (ipw_monitor_fw, 0xc07126c0, 0) error 1
untitled text 3:27: Apr 16 22:47:46 pfsense kernel: module_register_init: MOD_LOAD (wpi_fw, 0xc0891ba0, 0) error 1
untitled text 3:29: Apr 16 22:47:46 pfsense kernel: ACPI Error: A valid RSDP was not found (20100331/tbxfroot-309)
untitled text 3:130: Apr 16 22:48:31 pfsense dhcpleases: kqueue error: unkown
untitled text 3:153: Apr 16 22:49:10 pfsense apinger: Error while feeding rrdtool: Broken pipe
untitled text 3:1177: Apr 18 09:43:00 pfsense kernel: vr1: vr_link_task: Tx/Rx shutdown error -- resetting
untitled text 3:1181: Apr 18 09:43:01 pfsense kernel: vr1: vr_stop: Rx shutdown error

/var/etc/filterdns.conf:

pf xxxx.mine.nu fw3g
pf p1.p.monitorscout.com MS_probes
pf p2.p.monitorscout.com MS_probes
pf p3.p.monitorscout.com MS_probes
pf p4.p.monitorscout.com MS_probes
pf p5.p.monitorscout.com MS_probes
pf p6.p.monitorscout.com MS_probes
pf p7.p.monitorscout.com MS_probes
pf p8.p.monitorscout.com MS_probes
pf p9.p.monitorscout.com MS_probes
pf p10.p.monitorscout.com MS_probes
pf p11.p.monitorscout.com MS_probes
pf p12.p.monitorscout.com MS_probes
pf p13.p.monitorscout.com MS_probes
pf p14.p.monitorscout.com MS_probes
pf p15.p.monitorscout.com MS_probes
pf p16.p.monitorscout.com MS_probes
pf p17.p.monitorscout.com MS_probes
pf p18.p.monitorscout.com MS_probes
pf p19.p.monitorscout.com MS_probes
pf p20.p.monitorscout.com MS_probes
pf p21.p.monitorscout.com MS_probes
pf p22.p.monitorscout.com MS_probes
pf p23.p.monitorscout.com MS_probes
pf p24.p.monitorscout.com MS_probes
pf p25.p.monitorscout.com MS_probes
pf xxxxx.co.uk oppouk
pf bob.xxxx.xx ping
pf xxxx.mine.nu ping
pf xxxx.mine.nu ping
pf xxxx.mine.nu ping
pf fth-int-1.xxxx.xx ping
pf oitp.xxxxx.xx ping
pf xxxx.mine.nu ping
pf xxxx.mine.nu ping
pf p1.p.monitorscout.com ping
pf p2.p.monitorscout.com ping
pf p3.p.monitorscout.com ping
pf p4.p.monitorscout.com ping
pf p5.p.monitorscout.com ping
pf p6.p.monitorscout.com ping
pf p7.p.monitorscout.com ping
pf p8.p.monitorscout.com ping
pf p9.p.monitorscout.com ping
pf p10.p.monitorscout.com ping
pf p11.p.monitorscout.com ping
pf p12.p.monitorscout.com ping
pf p13.p.monitorscout.com ping
pf p14.p.monitorscout.com ping
pf p15.p.monitorscout.com ping
pf p16.p.monitorscout.com ping
pf p17.p.monitorscout.com ping
pf p18.p.monitorscout.com ping
pf p19.p.monitorscout.com ping
pf p20.p.monitorscout.com ping
pf p21.p.monitorscout.com ping
pf p22.p.monitorscout.com ping
pf p23.p.monitorscout.com ping
pf p24.p.monitorscout.com ping
pf p25.p.monitorscout.com ping
pf xxxx.vpntunnel.xxx routevpn
pf svtplay.se svtplay
pf www.svtplay.se svtplay
pf www.svtplay.se.edgesuite.net svtplay
pf p1.p.monitorscout.com test
pf p2.p.monitorscout.com test
pf xxxx.mine.nu tracker
pf xxxx.mine.nu tracker
pf xxxx.mine.nu tracker
pf xxxx.mine.nu tracker
pf xxxx.mine.nu tracker
pf xxxx.mine.nu tracker
pf xxxx.mine.nu vpnaccess

lyserge · Apr 19, 2013, 8:14 PM

For what it is worth, if I'm hammering the webGUI after a reboot and login really quick and check the Diag - Tables I will find the entrys.

Then I'll check the command: 'pfctl -T show -t <alias>' and it is empty.

And then they are gone from the webGUI on the next reload of the tables, so it seems to work for a short period after a reboot.</alias>

lyserge · Apr 25, 2013, 5:19 PM

I have now cleared unused firewall rules and some aliases, that did the trick! My FQDN alias is now listed in the table's.

I don't have any specific rule to suspect, maybe it was the rule including policy routing that had an alias for the GW.